HRPP Policy - Use of PHI in Research

PHI may be used for research purposes when the subject provides authorization. An authorization to use and disclose PHI must be written in plain language and must include all of the following elements:

• Name and address of the subject, if the study team is seeking release of medical records
• A specific and meaningful description of the information to be used or disclosed, written in a language understandable to the subject
• The name or identification of the persons or class of persons authorized to make disclosures of identifiable health information (i.e., who is releasing information)
• The name or identification of the persons or class of persons authorized to receive the identifiable health information and to use the information for research-related purposes (i.e., research personnel and other individuals who are part of the research team, described as broadly as possible to cover all possible circumstances)
• A description of the purpose of each use or disclosure of identifiable health information
• An expiration date for the authorization, such as a date, an event, or a statement like, "end of research study"
• The individual's signature (or that of his/her legally authorized representative, including a description of that representative's authority to act on behalf of the individual, if applicable) and the date, unless the Privacy Board waives this requirement
• A statement that the individual may revoke the authorization in writing to a member of the research team, except to the extent that research personnel had already acted in good faith on the signed authorization
• A statement that an individual's clinical treatment may not be conditioned upon whether or not the individual signs the research authorization; however, participation in research may be conditioned on a signed authorization
• A statement that information disclosed under the authorization could potentially be re-disclosed by the recipient and would no longer be protected under federal privacy regulations

Unless an alteration is granted per 2.2, HIPAA authorization is documented by the use of an approved, standalone written authorization document, or a combined informed consent and authorization document, dated by the prospective subject or prospective subject's LAR at the time of authorization. A copy of the signed form is given to the subject or subject’s LAR.

PHI may be used or disclosed for research purposes when a Privacy Board approves a waiver of authorization. In addition, the Privacy Board may approve an alteration to the authorization requirements described in 2.1 above. The Privacy Board may approve such a waiver or alteration if it determines all of the following:

• The use or disclosure of PHI involves no more than minimal risk to the confidentiality to the subject, based on the presence of the following elements:
  • An adequate plan exists to protect the identifiers from improper use and disclosure
  • An adequate plan exists to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law
  • There is adequate written assurance that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research, or for other research for which the use or disclosure of PHI would be permitted by the HIPAA Privacy Rule
• The research could not practicably be conducted without the waiver
• The research could not practicably be conducted without access to and use of the PHI

An IRB may serve as the Privacy Board for purposes of granting waivers of authorization pursuant to this section.  Additionally, the IU Office of Research Compliance maintains a HIPAA Privacy Board for purposes of granting waivers of authorization pursuant to this section when IU IRB is not serving as IRB of record and/or when IRB review and approval is not required for the project.  Uses or disclosures of PHI made pursuant to a waiver of authorization or alteration of authorization requirements are subject to the minimum necessary rules.

Research subject to VA regulations is not eligible for an alteration of the authorization requirements, but the Privacy Board may consider a waiver of authorization for this research.

De-identified health information is not considered PHI and may be used or disclosed for research purposes without authorization from the research subject or a waiver of authorization from a Privacy Board.

Research personnel using de-identified information must be able to provide documentation, upon request, that the health information was de-identified by one of the following two methods/processes:

• Expert Determination: A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable, applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information, and, documents in writing the methods and results of the analysis that justifies such determination.
• Safe Harbor Method: The following identifiers concerning the individual or of the individual's employer, relatives, and household members are removed:
  • Names
  • All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code
  • Elements of dates (except year) directly related to an individual including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
  • Telephone numbers
  • Fax numbers
  • Electronic mail addresses
  • Social Security numbers
  • Medical record numbers
  • Health plan beneficiary identifiers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Web universal resource locators (URL)
  • Internet protocol (IP) address numbers
  • Biometric identifiers, including finger and voice prints
  • Full face photographic images and any comparable images
  • Any other unique identifying number, characteristic, or code

The following demographic information may be used and still be considered de-identified:

• Age with dates limited to the year (age 90 and over must be aggregated to 90+ to prevent the identification of very old individuals)
• Aggregated ZIP codes in the form of the initial three-digit ZIP codes that contain more than 20,000 people
• Race
• Ethnicity
• Marital status
• Codes that can be affixed to the research record that will permit the information to be reidentified by the covered entity if necessary, provided that the key to such a code is not accessible to the research personnel requesting to use or disclose the de-identified health information. Codes may not be a derivative of the individual's name (e.g., initials), Social Security number, or other identifiable numerical codes (e.g., birth date, medical record number, fax number). If such a code is utilized, the data will not be considered de-identified.

Research personnel must be able to provide documentation upon request that the individual creating the de-identified data set has legitimate access to the PHI.

A Limited Data Set excludes direct identifiers and may be used or disclosed for research purposes without authorization from the research subject or a waiver of authorization from a Privacy Board. A Limited Data Set may not include any of the identifiers which must be removed for the safe harbor method above, with the exception of the following direct identifiers:

• Town, city, county, precinct, state and ZIP code
• All elements of dates directly related to an individual, including birth date, admission date, discharge date, and date of death
• Unique identifying numbers, characteristics, and codes

For any research use of a Limited Data Set, the covered entity disclosing the Limited Data Set must enter into a Data Use Agreement with the recipient of the information.

Uses or disclosures of PHI as Limited Data Sets for research purposes are subject to the minimum necessary rules.

PHI of decedents deceased less than 50 years may be used or disclosed for research purposes without authorization from the research subject or a waiver of authorization from a Privacy Board. Research personnel must provide documentation of all of the following upon request:

• The use will be solely for research on the identifiable health information of decedents
• The PHI sought is necessary for the purposes of the research
• Documentation of the death of the individual about whom information is being sought

PHI of individuals deceased more than 50 years is not protected under the HIPAA Privacy Rule and not subject to this policy.

PHI may be used for research purposes without authorization from the subject or a waiver of authorization from a Privacy Board for reviews preparatory to research (i.e., feasibility studies) when all the following are true:

• The use or disclosure of identifiable health information is solely to prepare a research protocol or for similar purposes that are preparatory to research
• Research personnel shall not record or remove the information from the covered entity. Research personnel may access PHI electronically in order to review the information, but may not record, store, or otherwise retain the information after the review.
• The information sought is necessary for the purposes of the research (e.g., a feasibility analysis to determine the number of potential subjects with a certain disease for submission in a grant)

Uses or disclosures of PHI for reviews that are preparatory to research are subject to the minimum necessary rules.

Members are appointed to the IU Privacy Board to ensure the following requirements are met:

• The Privacy Board has members with varying backgrounds and appropriate professional competency as necessary to review the effect of the research protocol on the individual's privacy rights and related interests;
• The Privacy Board includes at least one member who is not affiliated with the covered entity, not affiliated with any entity conducting or sponsoring the research, and not related to any person who is affiliated with any of such entities; and

Members may not participate in the review of any project in which the member has a conflict of interest.

The IU Privacy Board will meet on an ad hoc basis, as needed.  Privacy Board approvals will be reported to the IU Privacy Board periodically.

The study team describes the use of PHI in the human subjects application and submits the mechanism for obtaining HIPAA authorization when applicable.

For research subject to VA regulations, subjects must provide written HIPAA authorization on VA Form 10-0493 unless HIPAA authorization is combined with the informed consent document, or waived.

A request for waiver or alteration of authorization requirements is submitted via Kuali Protocols to the Privacy Board for review and approval. When the Privacy Board approves such a waiver or alteration, it must document all of the following:

• Privacy Board of record
• Date of Privacy Board approval of the waiver
• Statement that the waiver of HIPAA authorization satisfies the criteria described in 2.2 above
• A brief description of the PHI for which the Privacy Board has determined use or disclosure to be necessary
• Identification of the Privacy Board review procedure used to approve the waiver
• Signature of the Chair of the Privacy Board or a qualified voting member designated by the Chair

Documentation of the approval of the waiver or alteration of authorization can be found in the Approval Letter, Approval Comment section in Kuali Protocols, NHSR Determination Comment section in Kuali Protocols, and/or in the Administrative Details form in Kuali Protocols.

Protocol-specific mechanisms for ensuring confidentiality of research data, including PHI, are also described by the study team in the human subjects application. The IRB or Privacy Board considers the information in the human subjects application and documents its determinations as appropriate. IU and its affiliates have agreed that identified systems provide adequate provisions to protect confidentiality of research data -see IU HRPP Guidance on HIPAA. If research personnel will use only these systems to collect and/or store research data, the IRB may find that adequate provisions exist to maintain confidentiality of data without additional information.

When HIPAA authorization is required, authorization must be documented as follows, unless the Privacy Board grants an alteration per 2.2:

• Subjects (or their legally authorized representative) must sign a document with the required elements of authorization prior to participating in research activities subject to HIPAA.
  • Signature may be provided via physical, "wet", or electronic signature which meets the requirements of state law in the jurisdiction where the research is being conducted.
  • For VA research, authorization may be documented electronically so long as it meets all VA requirements for use of electronic signature, including use of VA compliant systems and prior approval by the Office of Research and Development (ORD).
  • The subject may fax or email a signed copy of the authorization to the research site (preferably to the interviewer and/or research personnel). Unless the IRB approves otherwise, the study team must receive a copy of the signed authorization prior to beginning research procedures.
  • If the subject is physically unable to provide a signature, he/she makes a mark on the authorization and the study team must document the circumstances. If the subject is unable to make a mark, the study team must request a subject-specific waiver of HIPAA authorization.
• The authorization must be dated with the date of signature.

Authorization from the subject or a waiver of authorization for recruitment from the Privacy Board is required before a covered entity may disclose protected health information for research recruitment purposes.

Procedures for researchers to request a waiver of authorization for recruitment and for the Privacy Board review of a waiver of authorization for recruitment are as described in Section 3.1 above.

Psychotherapy notes may only be used for research purposes, including recruitment, with authorization from the subject.

Subjects who participate in research have the right to access PHI (i.e., inspect and obtain a copy) about them which is stored as part of the research record. Subjects participating in treatment studies may be temporarily suspended from accessing their research records for as long as the research is in progress, provided that:

• The subject agreed to the denial of access in the HIPAA authorization
• The subject's right of access will be reinstated upon completion of the research

A research subject may revoke authorization, in writing, to a person on the research team, at any time. The revocation will be applicable to the study or studies specified by the individual.

When a subject revokes authorization, data collected on the subject to the point of the subject's revocation remains part of the study records and may not be deleted. Copies of revocations of authorizations should be maintained as part of the research record.

The HRPP shall maintain a Privacy Board roster listing Privacy Board members by name and affiliation and indicating whether the member has disclosed any financial or other conflicts of interest.